Slashdot Mirror
First Ever HIPAA Fine Is $4.3M
Trailrunner7 writes "The health care industry's toothless tiger finally bared its teeth, as the US Department of Health and Human Services issued a $4.3M fine to a Maryland health care provider for violations of the HIPAA Privacy Rule. The action is the first monetary fine issued since the Act was passed in 1996. The US Department of Health and Human Services (HHS) issued a Notice of Final Determination to Cignet Health care of Temple Hills, Maryland on February 4. The notice followed a finding by HHS's Office of Civil Rights that Cignet failed to provide 41 patients with copies of their medical records and for failing to respond to requests from HHS's Office of Civil Rights for information related to the complaints."
Next thing you know, the feds be enforcing FERPA.
I'm surprised that the first fine is due to the portability aspect of the law, not the security portions of the law. Of course, either is a win for consumers!
I'm a med student who has worked in several hospitals, and have yet to see one where HIPAA is rigorously followed. Directives by management are common, but when HIPAA impedes patient care (it's a hassle and timekiller to comply completely), it is always worked around. Doctors by and large, in my experience, toss HIPAA aside the first time they have to decide what to do with their limited time - adhere to every last rule or take care of a patient.
I'm really surprised it's taken this long for a fine to come about.
Sounds like exactly what this lawsuit was about. Not giving patients their records.
Yeah, and I never looked into HIPAA enough to realize until now that it included protecting the patient's right to access, not just privacy. Good ammo for my next visit.
Think it's about time!
who will eventually pay for those fines?
Nothing but hot air puffing up some ego.
I just love it.
to send a large middle finger to the feds by burying them in discovery (this seems fairly common, more info than needed is sent in the hopes that it is too large a task), and in response to a HIPPA complaint about their non compliance with patient medical record access, Cigna violates nearly every portion of the privacy sections of HIPPA.
I think the fine should be 10X
Create like a god, command like a king, work like a slave. -Guy Kawasaki
I first read the headline as 54.3 million and thought 'now that is a fine.' But just 4.3? I tried looking up this company and could find nothing about their revenue, prices, pay for doctors, anything. Is this a small set of clinics that doesn't give their CEO a million in expense accounts, or is it the government forgetting that companies really do compare the cost of a fine versus the cost of complying?
The fact the would not give the patients their records as requested, totally ignored all legal requests or finally coughing up 4,500 other records that were not even asked for? This health care company acted either like a spoiled petulant child or a clueless moron. Either way these are NOT the people I want keeping my records.
You can read the entire Penalty notice, which lays out a good timeline of what went on. HHS sent them letters, phone calls, sign and return receipt requested letters, then subpoenaed them and after all that Cignet didn't even bother to show up in court. When the judge threatened penalties, they gave thousands of patient charts over, even though the subpoena was for only 30 records.
Looks like they had it coming, or else someone really badly has to fire their office administrator.
Me: "Could you email me a copy of my (digital) xrays?" Them: "Sorry, that would be a HIPAA violation."
That would be since your name is one them and, as we all know, email is basically and electronic postcard. You certainly can make secure email systems and larger health care organizations often have them. Smaller places just don't want to bother with it yet. Keep whining at them.
Me: "Could you copy them to my flash drive then?" Them: "Sorry, that would be a HIPAA violation."
That's not a HIPAA violation, that's a obvious security issue. Nobody in their right mind would let you plug some random flash drive into the hospital network.
Me: "Okay fine, could you print me a copy?" Them: "Sorry, we can't print from this system. We set it up that way to save the rainforests." ...
If that's really true, then the health care provider is bullshitting you. Everybody has the capacity to print on xray film - that's the current 'lowest common denominator" for radiologic data. The other common way is a CD and pretty much anybody I've seen can at least do CDs of CT or MRI data (since that is always digital anyway).
HIPAA is currently being used as the common excuse for not wanting to do something in Medical Records. It's a handy little boogyman. There has to be some upside to Governmental regulation.
Faster! Faster! Faster would be better!
For the last several years I've requested and received copies of all medical imaging data. for myself, my Mother and, my Father. In a couple of cases they mailed me a CD but in all others they gave me the disc before I left. Never any hassle, I just had to ask.
The data is in DICOM http://en.wikipedia.org/wiki/Digital_Imaging_and_Communications_in_Medicine format. There are free viewers for Linux, Mac, and Windows.
I had a CT done of my head. Pretty cool to watch in 3D.
My Dad has a stint in his aorta. Watching the imaging of them testing it for leaks with radioactive contrast is wild.
If I were a hospital or clinic, I would interpret this the opposite. This is the first time anyone has EVER been fined, and it's for blatant refusals to give medical records to dozens of people or respond to mail. Given what it takes to actually be fined, I would stop harassing people with useless HIPAA notices and using it to obstruct anything from getting accomplished whenever convenient.
tm
Support TBI Research: http://www.raisinhope.org
This doesnt faze them one bit... of the 4 hospitals they run, they have 925 beds between the 4 of them... they're racking in $$$... especially when 99% of Maryland facilities only negotiate 2% discounts.. even on a $51K bill. blasphemy!
i checked their site and found this...
HOSPITAL AFFILIATION: Southern Maryland Hospital, Clinton, MD, Doctors Community Hospital, Lanham, MD, Laurel Hospital, Laurel, MD, Prince Georges Hospital, Cheverly, MD*
then i searched the 4 hospitals...
Prince George's Hospital Center - # of beds = 329, Total Patient Revenue: $291,123,454; Total Discharges:15,789; Total Patient Days: 101,520
Southern Maryland Hospital - # of beds = 276; Total Patient Revenue: $232,772,744; Total Discharges:18,567; Total Patient Days: 72,954
Doctors Community Hospital - # of beds = 190; Total Patient Revenue: $196,845,854; Total Discharges:12,357; Total Patient Days: 51,708
Laurel Hospital - # of beds = 130; Total Patient Revenue: $91,931,570; Total Discharges: 7,266; Total Patient Days:29,500
you do the math!
Also seriously: One of the HIPAA loopholes that patients aren't always told about is that HIPAA privacy rules don't necessarily apply when the government gets involved. One could easily argue that Cignet shouldn't have released those 4,500 unneeded records, you bet...but one could also argue that the release of those records didn't automatically trigger a HIPAA violation, as they were released in response to an oversight request, e.g. "Covered entities may usually disclose PHI to a health oversight agency for oversight activities authorized by law." (source: CDC.gov). If HITECH changed that, it'd be news to almost everyone -- when is the last time that the government willingly adopted rules restricting their own capabilities?
Regardless, IMO if they would've done exactly the same release of information BUT responded in a timely fashion to the Government's demands, there wouldn't have even been a $43 fine. Because that's the way that the Government seems to work.
It also applies to any medical records your employer is privy to. Don't forget that when you consider the implications of patient's right to access.
Any employer who is not paying attention to HIPAA is going to (eventually) get in trouble. It's not just healthcare providers and doctors who have to worry about it. It's anyone who handles medical records and/or medical information. Drug test results, results of pre-employment physicals, DOT testing results, etc, etc. All of these are HIPAA related between you and your employer.
I suspect the lawyers are just waiting for a few test cases to trickle through before they open up the floodgates. This CIGNET case is pretty egregious but there will be other cases that will be more nuanced.
They're required by law to provide you with the records you are requesting. X-ray data is considered part of your medical record, and legally you are the owner of it. Not sure if you actually had this discourse, or if it's hypothetical, but if it's the former, you should probably remind them of that fact. Then again, I don't know if dentistry is subject to the same regulations as hospitals / other health care providers, but I would assume so. What I said definitely applies to hospitals.
THE MAGIC WORDS ARE SQUEAMISH OSSIFRAGE
And the unwashed masses still think HIPAA is spelled "HIPPA"
THE MAGIC WORDS ARE SQUEAMISH OSSIFRAGE
Why isn't it? We've made LAWS saying that this stuff IS important.
And also having worked in government public health, it is something taken very seriously. Lifes ARE on the line. Example: A database with aids patient information being 'leaked' in the wrong part of the wrong state/country to the wrong people very well might end up with people being beat to a bloody pulp because some ignorant fuck finds out some guy has AIDS and assumes that means he's also gay AND deserves a beating.
Theres of course all the issues of discrimination due to ignorance when it comes to medicine as well, especially with things relating to mental health.
So yes, I expect them to follow the law and if that means occasionally it hurts people then we either change the law or we accept that the good it does outweighs problems it causes.
You however, DO NOT GET TO DECIDE because THE PUBLIC COLLECTIVELY HAS DECIDED.
You're looking at it through a tiny instant in time through a tiny pinhole and ignoring everything else trying to come up with an instance to justify your reaction to his statement, the problem is that you are completely unqualified (I say that based on the fact that you raised the question alone) to make that decision, which is why it isn't your decision and there are laws relating to it.
Again. YOU DON'T GET TO DECIDE WHICH LAWS TO FOLLOW AND WHEN YOU FOLLOW THEM, but you do get to vote for the people who make the laws. Change the laws or follow them, nothing else is acceptable.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
they tried the bury them with paper defense. this rarely works against the government or any other large group that can throw all the bodies at the problem that they need.
Did I saw I work in health care?
No I didn't and HIPAA doesn't just apply to patient care, it also applies to mental health, disabilities, etc.
I stand by my comment - I work in a state governmental agency and we take it very seriously.
Again. YOU DON'T GET TO DECIDE WHICH LAWS TO FOLLOW AND WHEN YOU FOLLOW THEM, but you do get to vote for the people who make the laws. Change the laws or follow them, nothing else is acceptable.
Yes, I do. The court may decide to punish me for breaking a law, but it is always my decision whether or not I will follow a law. See the concepts of civil disobedience and free will. An unjust law should never be followed, and even a just law should not be followed blindly.
"You want to know how to help your kids? Leave them the fuck alone." -George Carlin
I did RTFA, and I'm not sure if the fine was for the denial of access, or for the extra 4500 people submitted to HHS's office of civil rights.
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
I'm not so sure the HIPAA fine is in regard to denying patients access to their own data. I work at a medical institution, and went through a half day's worth of online HIPAA training a few months ago. It included the whole history of lots of bad things that have happened in the past, why we need patient privacy, ethics, various examples of who can and can not access the data, etc.. The entire training course was all about protecting patient privacy from third parties. Nowhere was there any discussion about patients having the right to access their own data. If there is a provision regarding this in HIPAA, I can say that it's definately not included in standard training courses (and my course was a standard course from a company that many institutions use for their HIPAA training).
If you read further in the article, you will see that HHS requested the patient records on behalf of the patients who had filed complaints. Rather than simply provide records for the 41 patients in question, Cignet complied by pulling the standard legal BS of swamping them with 59 boxes of records, including those of ~4500 *other* individuals. THIS is likely where the HIPAA fine is coming from -- the release of records for 4500 patients to a party not authorized to see them (I assume HHS was only authorized to see the records of the 41 individuals who filed complaints). This would work out to be roughly $1000 per "incident".
This was incredible stupidity on Cignet's part. They got what they deserved.
Another thing to check is how they bill your visit to your insurance company.
I doubt many are billing outright fraudulently...but they might bill a code that implied that the doctor had seen you directly for 30 minutes...when he had actually been in the room for about 3. There is a cheaper rate for that. Since almost nobody ever looks at this, it never gets caught. Except if you were that provider that didn't know I had that level of acess to my insurance claims...and that understanding of what the procedure codes were. (They IMMEDIATELY changed it when I brought it to their attention).
You're looking at it through a tiny instant in time through a tiny pinhole and ignoring everything else trying to come up with an instance to justify your reaction to his statement, the problem is that you are completely unqualified (I say that based on the fact that you raised the question alone) to make that decision, which is why it isn't your decision and there are laws relating to it.
No. I am looking at poster #1 who offered a very specific situation. Poster #2 then offered a very general and somewhat tangential response that could be interpreted several ways due to its vagueness. I pointed this out to poster #2, offering one interpretation that he probably did not intend and suggested he elaborate to avoid this miscommunication.
Your hysteria is causing you to see things that are not there.
They can email it to you. I am not asking for a discussion on whether this is the right way to do it...but a password protected zip/rar/etc passes HIPAA muster, as long as the password isn't in the email itself ofc. Although I completely agree with you, HIPAA is used as an excuse for not wanting to do something. And a way for a lot of companies to make a lot of money.
If you have determined that a law is unjust or has bad side effects, then in addition to your civil disobedience, I would submit that you have a civic duty to press for the law to be changed. The details of the law and of your circumstances will define what that civic duty looks like in action, but merely disobeying is not civil, it's immature.
Agreed. The basis of civil disobedience is that by disobeying an unjust law, you serve (by example) to bring to light what is wrong with the law.
The idea doesn't exactly apply here... I'd be hard pressed to imagine a doctor disobeying HIPA to deliberately show what is wrong with it. I could however very easily imagine a doctor ignoring HIPA when it interferes with their ability to treat a patient -and then just moving on with their day.
"You want to know how to help your kids? Leave them the fuck alone." -George Carlin
That would be since your name is one them and, as we all know, email is basically and electronic postcard.
The ability for someone to see the contents of those records in transit is irrelevant because the owner of the information has requested it be sent that way. Nice try, but that argument is roughly the same as telling the patient they won't understand them so its dangerous to give them to the patient. The user has requested them, you are required to supply them, period.
You can however, simply say 'we'll mail them to you for a fee of $XXX, and thats the only way we send records'. You're trying to add 'security restrictions' where none exist. There are rules for storage, and you're expected to make minor reasonable efforts too keep the records safe, but the rules are pretty lax and they end the instant the patient requests you provide the information.
HIPAAs primary purpose was to ensure that patients got access to their data and that it wasn't held ransom by providers who wanted to make sure you couldn't use another doctor. 'Security' was and is a secondary (arguably just as important) function. It basically changed the idea that your provider owned medical data about you to YOU own ALL medical data about YOU, the provider doesn't.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Let me get this straight, you let them use a law that was intended to provide you access to information as an excuse to prevent you from getting access to information about your child?
Let me step back a little further ... you let them deny you access to your child? How many people did you kill before you stopped?
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
"The health care industry's toothless tiger finally bared its teeth [...]"
Congratulations on writing one of the worst sentences ever.
Funny you should say that. Recently I was talking to someone who works in a clinic. They have centralized virus scanning, and he was notified when one of the machines in the patient intake area reported finding some item of malware. Turned out a patient had brought her medical records on a USB stick, and the person behind the desk plugged it into her computer to copy the materials from it.
I wouldn't be surprised if the malware was installed on the device when the records were copied there in the first place.
Let me hasten to add that this is an institution that takes HIPAA seriously, but still has these little vulnerabilities. They're looking into disabling USB storage via Group Policies. I suggested filling the USB ports with epoxy as well.
All they'll do is pass the cost to patients. If you want the law to have teeth, you threaten to throw their officers' sorry asses into pound-me-in-the-ass prison. That'll get their undivided attention and obedience.
ELOI, ELOI, LAMA SABACHTHANI!?
Mass General agreed to pay a $1 million fine this past week for a HIPAA violation. One of its staff members left the records for 192 patients on a subway train. They were never recovered.
http://www.hhs.gov/news/press/2011pres/02/20110224b.html
These are the kinds of practices HIPAA was designed to prevent. I, for one, am glad to see HHS enforcing these rules. Just the fact that someone could be carrying the records for 192 patients around with them while commuting shows how cavalierly some medical staff handle their patients' personal data.
Well, you do, at risk of being fined, arrested, shot (while fleeing), ending up as Bubba's "wife" in the cell...
Don't worry the "Conservative" courts will void it on appeal. You have to protect the corporations, the economy depends on them. All people are created equal, but some are more equal than others....
putting the 'B' in LGBTQ+
The ability for someone to see the contents of those records in transit is irrelevant because the owner of the information has requested it be sent that way.
While the patient has requested that they see their records, they did not request that anybody that can pick off the email in transit can see them.
Nice try, but that argument is roughly the same as telling the patient they won't understand them so its dangerous to give them to the patient. The user has requested them, you are required to supply them, period.
I have no idea why you think that requiring secure email is connected with whether on not the patient understands their medical records. It's simply using an insecure method of communication for material that by nature is intensely private is not a good idea. Yes, you have to give the records to the patient (that was the issue in TFA) but the medical provider does have some leeway in how they are delivered and plain old email isn't allowed.
No
Faster! Faster! Faster would be better!
Then you are stating that your initial comment was a non sequitur. As it implies some disagreement with the previous poster, which would not be consistent with your implications in this post.
He said "HIPAA is not more important than a patient's life" and you responded "government workers take it seriously, regardless of the patient's health." If that's not your intention, then you made an error. Insisting that's not what you meant won't change how it comes across. Just say "I was wrong" and move on.
Learn to love Alaska
Obviously there's regional variation for this. I'm also a med student who has worked in several hospitals, and I've yet to find one where HIPAA is *not* rigorously followed, even when this creates weird and novel situations. Such as when a white board for patient names, details, and staff assignments is visible to patient or public areas, and gets changed to entire list of last name's first two letters plus first initial. So everyone is Le or Je or Su or Ma, and basically it looks like the entire patient population is now Vietnamese.
In my experience, the issue is with people less educated about HIPAA's constraints and permissible information sharing instead taking it as a blanket ban about discussing *anything* about a patient - even when in non-public areas and among a treatment team. In point of fact, the JHACO regs around patient identifying information and public discussion tend to be stricter than HIPAA when it comes to medical centers.
Da Blog
most people save them in Word documents on a shared drive, accessible by anyone in the institution and blatantly violating HIPAA
I've seen that happen. But you know what? You can make Word encrypt your docs quite securely with a single click. There's really no excuse for leaving world-readable docs lying about when it's so trivial to harden them.
Da Blog
"as much as 90 percent of the published medical information that doctors rely on is flawed"
I'm pretty sure there's a Sturgeon's Corollary out there someplace, where it is revealed that as each discipline begins to examine itself, it finds that the evolution of its episteme tends to approach Sturgeon's Revelation asymptotically.
Welcome to reality, where if you live long enough, everything you think you know *for sure* will turn out to be wrong. Or maybe just misguided. The real test is how you deal with new knowledge. Do you keep up and stay current, or do just relax and maintain an elaboration of a worldview and assumptions fundamentally frozen during your adolescence. Doctors are taught over and over in med school that what they are learning is provisional, rapidly changing, and contingent. Many fail to assimilate that important lesson, but many do not.
Da Blog
I didn't realize you were the intention police. I will consider myself warned but free to go.
Windows is NOT universal for medical record storage. Linux and AS400 are very much in use. Also windows does not silently push our any patches to our network. Each one is reviewed and approved before distribution to our workstations and servers using wsus. HIPPA is taken very seriously at all levels in our hospital and our IS organization. Our CIO literally stays up nights worrying over potential security holes.
Please mod me 1 or troll. It's where the truth is these days, even on Slashdot. Beware the power of moderators everywh
yep. And the bigger they are, the more likely they are on a UNIX system. I make most of my money because the kids don't get the difference between / and \
No, I'm the clarification police. When you are wrong and an ass about it, don't be surprised if someone points it out to you. At least you were gracious in not insulting someone who politely pointed out the situation. Oh wait, you were like every other jackass on the Internet.
Learn to love Alaska
While the patient has requested that they see their records, they did not request that anybody that can pick off the email in transit can see them.
That's incorrect. The patient authorized release of the records in a specific manner. If they were requested to be left on the front doorstep and signed the permission slip, then it's an authorized release (even if not legal under HIPAA). If the patient doesn't want the risk, they shouldn't authorize the release.
It's simply using an insecure method of communication for material that by nature is intensely private is not a good idea.
My medical records aren't "intensely private." I don't care if they were sent to me via billboard so I, and everyone else on my commute, could read them. If I authorize that, I don't understand why you would want to make that authorized release illegal. Why do you hate me getting my records in the manner I wish?
Learn to love Alaska
What would you suggest? Opening up an email from a patient? We know no viruses travel in emails. Or should we just go back to paper everything and have to bring them in on paper and let them scan them back in every time we move records?
Learn to love Alaska
Well, maybe to start with, how about having a computer for this purpose that's not on the network?
But then, how would you get the file from the patient to the patient's files? Take it from their USB stick, put it on the DMZ computer, then put it on a different stick to walk to the networked computers? Why not just have the standard for all the networked computers be the same as you'd put on the DMZ computer?
Unfortunately, the "easiest" fix is to have a central repository with medical data. That's unfortunate in that all the conspiracy theorists would assert that it would be misused, and the "conservatives" would want small government, so rather than the government doing it, they would insist that the government write checks to some private company to do it for 10 times the cost, because for some reason, 10x overhead is "small."
Learn to love Alaska
In your overly ornate categorical prescription of the "difference" between the reified 'Science' and 'Arts' as discrete and self-similar fields of human activity, you are conflating intentionality with ontology. You also ascribing a teleological direction to the "progress" of human activity, and authoring a moral judgement upon the "forces" that constrain "scientific progress" within medicine. Lastly, I suspect you are promulgating Polanyi-Kuhn incommensurablity between scientific paradigms, a notion that has many supporters, but also many detractors, and is in many areas orthogonal to your teleological framing. You fail to address the tension between these two theses. In short, your argument as presented, while possessing merit, does not produce a sufficient synthesis to derive a satisfactory conclusion especially when considering your moral focus.
Da Blog
I always RTFA. The fact that you and I both seem to have read the same material, and are using the same language and grammer, yet are failing to communicate, is in a sense the essence of incommensurability in action. We are expressing different paradigms, which is ironic given the Polanyi-Kuhn comment. The fact that you say do not know who Polanyi or Kuhn were or what they said does not negate the fact that you used an argument very similar to theirs.
Da Blog